ASA-201907-3 generated external raw

[ASA-201907-3] python2-django: silent downgrade
Arch Linux Security Advisory ASA-201907-3 ========================================= Severity: High Date : 2019-07-06 CVE-ID : CVE-2019-12781 Package : python2-django Type : silent downgrade Remote : Yes Link : https://security.archlinux.org/AVG-1001 Summary ======= The package <a href="/package/python2-django">python2-django</a> before version 1.11.22-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 1.11.22-1. # pacman -Syu "python2-django>=1.11.22-1" The problem has been fixed upstream in version 1.11.22. Workaround ========== None. Description =========== An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Impact ====== A remote attacker is able to perform a man-in-the-middle attack if a HTTP request is not redirected to HTTPS. References ========== https://docs.djangoproject.com/en/2.2/releases/2.2.3/ https://www.openwall.com/lists/oss-security/2019/07/01/3 https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 https://security.archlinux.org/CVE-2019-12781